Detection rules › Splunk
Disable Security Logs Using MiniNt Registry
The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE Registry.registry_path="*\\Control\\MiniNt\\*" BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: where
where isnotnull(registry_value_data)
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|